Information on data processing for this website in accordance with Art. 13 EU General Data Protection Regulation (GDPR) when collecting personal data from the data subject.

Data protection notice (version: GDPR 2.0 of 24 March 2023)

Medigene AG is responsible for this website. As the provider of a teleservice, we must inform you at the beginning of your visit about the type, scope and purpose of personal data collection and use. We must do so in a manner that is precise, transparent, easy to understand and easily accessible, using clear and simple language. This content has to be available to you at any time. 

We attach great importance to the security of your data and compliance with data protection regulations. The processing of personal data is subject to the provisions of the European and national legislation currently in force.

In the following data protection notice, our intention is to outline how we handle your personal data and how you can contact us:

Medigene AG
Lochhamer Straße 11
D-82152 Planegg

Telephone: +49 89 2000330

Commercial Register No: HRB 115761

Management: Dr. Selwyn Ho, Prof. Dr. Dolores J. Schendel

Our data protection officer

Sven Lenz
Datenschutzkanzlei Lenz GmbH & Co. KG
Bahnhofstraße 50
87435 Kempten

For questions regarding data protection or other data protection concerns, please send an e-mail to the following e-mail address:

A. General

For ease of understanding, we do not distinguish between the genders. For the purpose of equality, equivalent terms apply to all genders. The meaning of the terms used, such as “personal data” or its “processing”, can be found in Article 4 of the EU General Data Protection Regulation (GDPR).

The personal data processed within the scope of this website includes

  • usage data (e.g. visited sites of our website) and
  • content data (e.g. input for newsletter registration).

B. Specific

Data protection notice

We guarantee that we will only process your data in connection with the processing of your inquiries as well as for internal purposes and in order to provide content and the services that you request.

Bases for data processing

We process users’ personal data only in compliance with the relevant data protection regulations. Legal basis are:  

  • Provision of contractual obligation
  • Processing is required by law
  • If you have given your consent (e.g. newsletter registration) 
  • Enforcement of our legitimate interest

This is where the above legal bases are regulated:

  • Processing for the purpose of providing our services and taking contract-related steps
    Art. 6 (1) b) GDPR
  • Processing for the purposes of compliance with our legal obligations
    Art. 6 (1) c) GDPR
  • Consent
    Art. 6 (1) a) and Art. 7 GDPR
  • Processing for the purposes of our legitimate interests
    Art. 6 (1) f) GDPR 

Data transfer to third parties

No data is transferred to a third party.

Data transfer to a third country or an international organization

A “third country” is a country in which the GDPR is not a directly applicable law. This basically includes all countries outside the EU or the European Economic Area.

No data is transferred to a third country or an international organization without legal basis.

Storage period of your personal data

We adhere to the principles of data economy and data reduction. This means that we only store your data for as long as is necessary to fulfill the above-mentioned purposes or in accordance with the various storage periods stipulated by law. If the respective purpose no longer applies or if the relevant storage periods expire, your data will be routinely blocked or deleted in accordance with statutory provisions.

For this purpose, we have drawn up an internal company concept to ensure this procedure.


If you contact us via this website, you agree to electronic communication. During the contact process, personal data is processed. The information you provide will be stored exclusively for the purpose of processing your inquiry and for possible follow-up questions.

The legal bases for this are as follows:

  • Processing for the purpose of providing our services and taking contract-related steps
    Art. 6 (1) b) GDPR

We would like to point out that, during transmission, e-mails can be read or changed unnoticed and without authorization. Please also note that we use software to filter unsolicited e-mails (spam filter). Use of the spam filter may result in the rejection of e-mails that have been falsely identified as spam due to certain characteristics.

What rights do you have?

    1. Right to information
      You have the right to obtain information about your stored data, free of charge. Upon request, we will inform you in writing of your personal data that we have stored. This also includes the origin and recipients of your data as well as the purpose of data processing.
    2. Right to rectification
      You have the right to have your data that we store rectified if it is incorrect. In doing so, you can request restriction of processing, e.g. if you contest the accuracy of your personal data.
    3. Right to blocking
      You can also have your data blocked. In order to allow blocking of your data at any time, this data must be held in a blocking file for control purposes.
    4. Right to erasure
      You can also request the erasure of your personal data, provided there are no statutory retention requirements. Insofar as such an obligation exists, we will block your data on request. If the relevant legal requirements are met, we will erase your personal data even if you do not request us to do so.
    5. Right to data portability
      You are entitled to request that we provide you with the personal data you have provided to us in a format that allows it to be transferred to another location.
    6. Beschwerderecht bei einer Aufsichtsbehörde
      You have the option to lodge a complaint with one of the data protection supervisory authorities.

      The competent data protection authority is:

      Bavarian Department of Data Protection Supervision (BayLDA)
      Promenade 27, D-91522 Ansbach
      Telephone: +49 981 53-1300
      Fax: +49 981 53-981300

      You can access the complaint form of the Bavarian Department of Data Protection Supervision via the following link:

    7. Right to object
      You have the possibility at any time, for reasons arising from your particular situation, to object to the processing of your data pursuant to Art. 6 (1) (e) and (f) GDPR; this also applies to profiling based on these provisions.

      Medigene AG will then no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

      If personal data are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing. In the event of such an objection, we will no longer process your personal data for the purposes of direct marketing. For this purpose, it is sufficient to send us a corresponding e-mail.

    8. Right of revocation
      You have the possibility at any time without giving reasons, to revoke your consent given to the processing of your personal data with effect for the future. You will not experience any disadvantages as a result of the revocation. For this purpose, it is sufficient to send us a corresponding e-mail.

      However, such revocation shall not affect the lawfulness of the processing carried out on the legal basis of Art. 6 (1) a) GDPR until the time of revocation.

      To exercise your data subject rights, send us an e-mail to the following address: 

Protection of your personal data

We take contractual, technical and organizational security measures in line with state of the art technology in order to ensure compliance with the provisions of data protection legislation and to safeguard the data processed against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

The security measures include in particular the encrypted transmission of data between your browser and our server. 256-bit SSL (AES 256) encryption technology is used for this purpose. 

Your personal data is protected within the scope of the following actions (excerpt):

  1. Maintaining the confidentiality of your personal data
    In order to protect the confidentiality of your personal data stored with us, we have taken a range of steps to control admission, entry and access.
  2. Safeguarding the integrity of your personal data
    In order to safeguard the integrity of your personal data stored by us, we have taken various measures to control the forwarding and input of such data.
  3. Ensuring the availability of your personal data
    In order to maintain the availability of your personal data stored with us, we have taken a number of steps to control compliance with work orders and availability.

The security measures in use are continuously improved in line with technological developments. Despite these precautions, due to the insecure nature of the internet, we cannot guarantee that your data will be transmitted securely to our website. As a result, any data transmission from you is at your own risk.

Protection of minors

Personal information may only be provided to us by persons under the age of 16 with the express consent of a parent or guardian. This data will be processed in accordance with this data protection declaration.


The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • browser type and browser version
  • operating system used
  • referrer URL
  • host name of the accessing computer
  • time of the server request
  • IP address

This data is not merged with other data sources.

The basis for the data processing is according to Art. 6 para. 1 lit. f) GDPR our legitimate interest.


Cookies are small text files that are stored locally in the cache of your internet browser. Cookies allow (for example) the recognition of the internet browser. The files are used to help the browser navigate through the website and to ensure that all functions can be used to the full extent.

We only use cookies that are relevant to the system.


If you subscribe to our e-mail newsletter, we will send you press releases and company announcements as soon as they are published. Personal data is collected for this purpose. Your email address is the only information required for sending the newsletter. Providing any further data is voluntary and will be used to address you personally. This data will be used by us for the purposes of sending selected information (newsletter) in the form of the e-mail, provided that you have expressly consented hereto as follows:

“Yes, I would like to receive information from Medigene.“

We use the “double opt-in” procedure to send the newsletter/e-mail notification. This means that we will only send information to you after you have explicitly confirmed that you consent to the sending. We will then send you a confirmation e-mail asking you to click on a link to confirm that you wish to receive our newsletter in the future.

By activating the confirmation link, you consent to the use of your personal data in accordance with Art. 6 (1) a) GDPR. When you register for the newsletter, we store your IP address as entered by the Internet Service Provider (ISP) as well as the date and time of registration. The purpose of this is to be able to track any possible misuse of your e-mail address at a later point in time.

You can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter, or by sending a message to us, e-mail: After you have unsubscribed, your e-mail address will immediately be deleted from our newsletter distribution list and included in a blocking file to ensure that revocation is successful.

Social networks

In addition to this online service, we also maintain presence in various social media, which can be accessed via the corresponding buttons on our website. When visiting such presence, personal data may be transmitted to the provider of the social network. It is possible that in addition to the storage of the data specifically entered by you in this social medium, further information is also processed by the provider of the social network. 

For more information, please see our social media privacy policy.

Changes to our privacy policy

We reserve the right to adjust our data protection declaration in short-term in order to reflect the latest legal requirements or to incorporate changes to our services. This could involve the introduction of new services, for example. Your return visit will then be subject to the new data protection declaration.

Information obligation on data processing in the application procedure pursuant to Art. 13 GDPR

This data protection information informs you about the processing of your applicant data at Medigene AG and Medigene Immunotherapies GmbH.

  1. We use your data exclusively for the purpose of your application.
  2. During the application process, there are clear rights of access: Only the persons responsible and the decision-makers on recruitment will see your application documents.
  3. Your application will only be passed on, e.g. for other vacancies in our company, with your consent.
  4. If you are not hired, we will delete your data after three months.
  5. If you are hired, we will transfer the relevant data to your personnel file.
Controller for the processing of your personal data

Unless otherwise contractually agreed, the controller for the collection, processing and use of your personal data is

Medigene AGMedigene Immunotherapies GmbH

Lochhamer Straße 11

82152 Planegg/Martinsried


Lochhamer Straße 11

82152 Planegg/Martinsried


From a data protection point of view, the company that has published the vacancy is the data controller.

Personal information and personal data

According to Art. 4 No. 1 GDPR, your personal data includes all information that relates or can be related to your person, in particular by means of assignment to an identifier such as a name or an applicant number with which your person can be identified within the company.

Through your application, we receive information about you (both in paper format and in digital form) and the corresponding data that you provide to us in the course of your application. This may be, for example:

  • Title, surname, first name
  • Photo
  • E-mail address
  • Address of residence
  • Date of birth
  • Place of birth
  • Disability
  • Details of school and vocational education, further education and training and qualifications
  • References
Purposes and legal basis of processing

The respective controller collects, processes and uses your personal data exclusively for the purpose of carrying out the application process. Your data is therefore required for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b GDPR). This means that we need and therefore process your data for the purpose of a possible hiring.

Processing you data other than for the purposes mentioned is only permitted if processing is in accordance with Art. 6 para. 4 GDPR and if in accordance with the original purposes. We will inform you about such additional processing before processing of your data.

In individual cases, we may obtain your consent to the processing or transfer of your data. This may be the case, for example, if your application is stored for a longer period of time or if your application is considered for another position within our company. In these cases, your consent is voluntary and can be revoked by you at any time in the future.

Duration of storage

Your personal data will only be stored for as long as knowledge of the data is required for the purposes of the employment or the purposes for which it was collected, or for as long as statutory or contractual retention requirements exist.

If a contractual relationship is not established, we will store your application data for 3 months for the purposes of verifiability in accordance with the General Act on Equal Treatment (Allgemeines Gleichbehandlungsgesetz – AGG). The legal basis for this is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.

If a contractual relationship is established (= employment), we will transfer the necessary information to the personnel file.

Transmission to recipients and/or third countries

Certain personnel administration and personnel management tasks are carried out centrally by Medigene AG. This also includes application management. If you have applied for an advertised position at Medigene Immunotherapies GmbH, your data will be processed by the HR department of Medigene AG, which is why Medigene AG is also granted limited access rights to your data. There is a data processing agreement between the two companies in accordance with Art. 28 GDPR.

Data is not transferred to other recipients. Data is not transferred to third countries.

Your data protection rights

You have a right to information about the personal data stored about you, about the purposes of processing, about any transfers to other bodies and about the duration of storage.

You can also receive extracts or copies to exercise your right to information. If data is incorrect or no longer required for the purposes for which it was collected, you can request that it be rectified, erased or that processing be restricted. Where provided for in the processing procedures, you can also view your data yourself and correct it if necessary.

If your particular personal situation gives rise to reasons against the processing of your personal data, you can object to the processing if the processing is based on a legitimate interest. In such a case, we will only process your data if there are special compelling interests in doing so.

If you have any questions about your rights and how to exercise them, please contact the HR department or the data protection officer.

Right to complaint

If you have any concerns or questions about the processing of your personal data and information, you can contact the HR department. You can also contact the data protection officer or a data protection supervisory authority using the contact details below.

The supervisory authority responsible for us is

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 27, 91522 Ansbach, Germany

Telephone: +49 981 53-1300

Telefax: +49 981 53-981300

Data protection officer

Sven Lenz

Datenschutzkanzlei Lenz GmbH & Co. KG

Bahnhofstraße 50, D-87435 Kempten, Gemany

Telephone: +49 831 930653-00